2 min read
When the Ethereum Name Service—a smart contract that makes addresses on the Ethereum blockchain human readable—was migrated to a newer smart contract, it contained a bug so severe it cost developers over $25,000 to fix it, the team said in a blog post yesterday.
On November 8, 2019, a bug was submitted to the Ethereum Bug Bounty page that would let someone claim back ownership over an address name, even if it were transferred to someone else. So, for instance, John Doe could register Decrypt.ETH, transfer it to Jane Doe, then claim it back.
“This would be pretty bad, so we realized relatively quickly that we had to migrate our entire infrastructure to a new registry,” said the team.
That meant that all 310,000 names on the Ethereum name service required updating, as well as 50,000 subdomains, 60,000 names using a resolver, and 37,000 names with addresses set. In total, that’s 360,000 names.
Modifying all those names would mean they’d have to spend a lot of money in transaction fees. Since, overall, the team had to modify around 847,000 “storage slots,” it had to spend a total of $25,000 worth of ETH to get the job done.
On January 27, the team deployed a new smart contract, and in the first full week of February, they migrated the names to a new smart contract. The job was finished by February 10.
Luckily, “upon investigating the vulnerability further, we were able to say with a large certainty that the vulnerability was not exploited,” said the team.
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.